fwsnort: Application Layer IDS/IPS with iptables

fwsnort parses the rules files included in the
SNORT ® intrusion
detection system and builds an equivalent iptables
ruleset for as many rules as possible. fwsnort utilizes the iptables string match
module (together with a custom patch that adds a --hex-string option
to the iptables user space code which is now integrated with iptables) to detect application
level attacks.

fwsnort accepts command line arguments to restrict processing to
any particular class of snort rules such as "ddos", "backdoor", or
"web-attacks". Processing can even be restricted to a specific snort
rule as identified by its "snort id" or "sid". fwsnort makes use of the
IPTables::Parse module
to translate snort rules for which matching traffic could potentially be passed through
the existing iptables ruleset. That is, if iptables is not going to pass, say,
HTTP traffic, then fwsnort will not include HTTP signatures within the iptables
rule set that it builds. Because iptables - being a firewall - runs inline to
network traffic by definition, fwsnort can build an iptable rule set that not
only logs attacks but also drops packets and resets connections as well.

Data replacement patches for the iptables string match extension can be
found here (2.4 kernels only): libipt_string patch,
ipt_string kernel patch. Together
these patches emulate the replace keyword in
Snort_inline by adding two new iptables
command line options, "--replace-string" and "--replace-hex-string". All data replacement
is performed within the kernel. See my
DEFCON 12 presentation
for more information.